Strange Auto-Forwarding

9 views
Skip to first unread message

ch...@luckhurst.org

unread,
Nov 28, 2022, 10:22:51 AM11/28/22
to ntexchange
Hey all,
I have some funny entries, which of course do not resolve to anything when I click them and I cannot see them in Powershell.

They looks like maybe they are hashes

All go from this domain to some of our other external domains , all having connectors.

My first though is an Indicator of Compromise .. but it's cause I assume the worse.

2.PNG1.PNG

Michael B. Smith

unread,
Nov 28, 2022, 10:26:27 AM11/28/22
to ntexc...@googlegroups.com

What was the account that created the emails and what is that accounts purpose?

 

Thanks.

 

Regards,

Michael B. Smith

Managing Consultant

Smith Consulting, LLC

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/c791e71d-c58b-408e-b759-71990217a00bn%40googlegroups.com.

ch...@luckhurst.org

unread,
Nov 28, 2022, 10:36:18 AM11/28/22
to ntexchange
Not sure how to tell (n00b)

ch...@luckhurst.org

unread,
Nov 28, 2022, 11:09:41 AM11/28/22
to ntexchange
It appears to be in all our tenants , some are SMTP Forwarding between different Tenants that have a connector,  but in one of our Tenants we see that + Mailbox Rules that forward from that address to various outside domains like outlook.com, yahoo.com  -- opening a case with M$ now --- too strange.

On Monday, November 28, 2022 at 11:26:27 AM UTC-4 Michael B. Smith wrote:

ch...@luckhurst.org

unread,
Nov 28, 2022, 11:44:08 AM11/28/22
to ntexchange
.. and dumb founded ..  he is not sure . To be fair, their Quick Assist tool isn't working to "look"

so now I wait

Michael B. Smith

unread,
Nov 28, 2022, 3:46:29 PM11/28/22
to ntexc...@googlegroups.com

If you open the Queue Toolbox on an Exchange Server you can drill down into individual messages to see who sent them. Everything but their content.

 

I find the data, as you’ve shown it, to be quite suspicious.

 

Are you current with CUs?

ch...@luckhurst.org

unread,
Nov 29, 2022, 6:20:22 AM11/29/22
to ntexchange
Michael,
How rude of me. This is Exchange Online.  Clicking each message spins.

It's funny, as if I search the odd characters, in almost seems like it's related to DLP ..

The investigation continues , outcome will be shared .
Reply all
Reply to author
Forward
0 new messages